Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Moments moments allows PHP Local File Inclusion.This issue affects Moments: from n/a through <= 2.2.
Published: 2026-03-25
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via Local File Inclusion
Action: Immediate Patch
AI Analysis

Impact

An improper control over the filename used in PHP include/require statements allows an attacker to include unintended local files. This Local File Inclusion vulnerability can lead to the execution of arbitrary PHP code, potentially providing full control over the affected system. The weakness is identified as CWE‑98, indicating unsafe inclusion of files based on user-controlled input.

Affected Systems

The vulnerability affects the WordPress Moments theme provided by Select‑Themes, with all releases up to and including version 2.2 vulnerable. No other products or versions are listed as affected.

Risk and Exploitability

The CVSS score of 8.1 reflects a high severity, while an EPSS score of less than 1% indicates a low probability of widespread exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Attackers can likely exploit it by manipulating query parameters or other input that determines the included file path, and only minimal configuration changes on the server are required to defend against it.

Generated by OpenCVE AI on March 26, 2026 at 17:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Moments theme version (v2.3 or later) from the vendor or remove the theme entirely if an upgrade cannot be performed
  • If the theme must remain, implement strict input validation to ensure that file paths used in include/require statements are resolved against a whitelist of allowed directories
  • Configure the web server to disallow execution of PHP files in upload directories and set the correct permissions for theme files
  • Deploy a web application firewall or similar controls to detect and block suspicious file inclusion attempts
  • Monitor web server logs for anomalous include/require activity that may indicate exploitation attempts

Generated by OpenCVE AI on March 26, 2026 at 17:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Select-themes
Select-themes moments
Wordpress
Wordpress wordpress
Vendors & Products Select-themes
Select-themes moments
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Moments moments allows PHP Local File Inclusion.This issue affects Moments: from n/a through <= 2.2.
Title WordPress Moments theme <= 2.2 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Select-themes Moments
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T15:30:10.613Z

Reserved: 2026-02-02T12:53:53.793Z

Link: CVE-2026-25458

cve-icon Vulnrichment

Updated: 2026-03-26T15:30:05.194Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:52.010

Modified: 2026-03-30T13:27:12.923

Link: CVE-2026-25458

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:31:38Z

Weaknesses